Jump to content


Photo

AWS: Problem with Backend Servers (ELB)

ELB AWS WAF VPC

  • Please log in to reply
9 replies to this topic

#1 Rusty Ross

Rusty Ross
  • Members
  • 5 posts

Posted 10 January 2016 - 11:59 AM

I see a potentially very unfortunate Barracuda limitation in regards to defining backend real servers.

 

It seems as if these servers MUST be defined by IP address and that DNS names are not allowed.

 

If true, this is highly problematic for the case of backend servers that are behind a load balancer.

 

To be clear, in a very typical "WAF Sandwich" scenario, I'd be looking to do this:

 

AWS ELB (public facing) <--> Barracuda WAF <--> AWS ELB (internal) <--> Backend Webservers (in an autoscaling group)

 

The problem is that the internal ELB (the load balancer in front of the backend servers) needs to be pointed at via DNS, not by hard IPs, because the hard IPs for the ELB can and will change without warning.

 

It's hard for me to believe that this (common) pattern is not possible with Barracuda WAF, but that seems to me to be the case. Am I missing something?

 

If not, I believe this would deem Barracuda unviable for me (and I would imagine others) in AWS.

 

 



#2 Kaushik Thirumurthy

Kaushik Thirumurthy
  • Barracuda Team Members
  • 41 posts

Posted 10 January 2016 - 07:12 PM

Hello Rusty,

 

The server identifier can be either IP address or Hostname.

 

Please edit the server configuration under the respective service on Basic--> Services page and there you can configure the server identifier option.

 

Do post if you have any questions, thank you

 

Regards,

Kaushik



#3 Rusty Ross

Rusty Ross
  • Members
  • 5 posts

Posted 11 January 2016 - 02:26 AM

I had already tried this, and just tried again, and the UI definitely rejects my trying to name the backend servers instead of providing a hard  IP address. See the linked screenshot:

 

https://www.dropbox.com/s/dedj3b0qql4gz3m/lb.png?dl=0

 

Rusty



#4 Tushar Richabadas

Tushar Richabadas
  • Moderators
  • 42 posts

Posted 11 January 2016 - 05:43 AM

Hi Rusty,

 
You can add the FQDN of the ELB to the service as a server. To do this, you'll need to enable an advanced setting to allow addition of a server using the hostname.
 
Navigate to Advanced -> System Configuration.
 
Set "Show Advanced Settings" to Yes.
 
Now navigate to the Serivce page, and click on Server to add a server to the service you wish to use the FQDN with.
 
In the pop-up, select the Identifier to be Hostname.
 
Fill the Hostname field with the FQDN.
 
Add the server.
 
The WAF will now resolve the IP of this ELB and show it as the server. The DNS resolution will be performed repeatedly using the TTL received as the interval.
 
We have one limitation here: If the DNS resolution returns more than one IP address, we will use only one of them at this time. This is being fixed in our next release.
 
 
 
Thanks,
Tushar

Tushar Richabadas

Product Manager - WAF and ADC

trichabadas@barracuda.com


#5 Anshuman

Anshuman

    WAF / BYB

  • Barracuda Team Members
  • 38 posts

Posted 21 January 2016 - 01:19 AM

The "Server Identifier" option will be available by default from the next firmware version (8.1)



#6 NestorAcevedo

NestorAcevedo
  • Members
  • 20 posts

Posted 04 February 2016 - 11:33 AM

I had already tried this, and just tried again, and the UI definitely rejects my trying to name the backend servers instead of providing a hard  IP address. See the linked screenshot:

 

https://www.dropbox.com/s/dedj3b0qql4gz3m/lb.png?dl=0

 

Rusty

 

For this you can add the service without real server and after add the server.

 

 

Hi Rusty,

 
You can add the FQDN of the ELB to the service as a server. To do this, you'll need to enable an advanced setting to allow addition of a server using the hostname.
 
Navigate to Advanced -> System Configuration.
 
Set "Show Advanced Settings" to Yes.
 
Now navigate to the Serivce page, and click on Server to add a server to the service you wish to use the FQDN with.
 
In the pop-up, select the Identifier to be Hostname.
 
Fill the Hostname field with the FQDN.
 
Add the server.
 
The WAF will now resolve the IP of this ELB and show it as the server. The DNS resolution will be performed repeatedly using the TTL received as the interval.
 
We have one limitation here: If the DNS resolution returns more than one IP address, we will use only one of them at this time. This is being fixed in our next release.
 
 
 
Thanks,
Tushar

 

Tushar, the hostname  now doesn't accept long names as the ELB name so is not possible, it is valid only for Elastic Beanstalk apps with high resource consumptions so in this case, it's the FQDN the real URL?



#7 Tushar Richabadas

Tushar Richabadas
  • Moderators
  • 42 posts

Posted 05 February 2016 - 02:09 AM

For this you can add the service without real server and after add the server.

 

Tushar, the hostname  now doesn't accept long names as the ELB name so is not possible, it is valid only for Elastic Beanstalk apps with high resource consumptions so in this case, it's the FQDN the real URL?

 

Nestor,

 

I just brought up a WAF (hourly, version 8.0.0007) on AWS to check this.

The configuration works as intended - i provided an internal ELB FQDN of the form:

 

internal-xxxxxxxxxxx-457486678.us-west-2.elb.amazonaws.com

 

in the hostname and it works fine.

 

I'll PM you the WAF details - IP and login info, so that you can take a look at the configuration.

 

-Tushar


Tushar Richabadas

Product Manager - WAF and ADC

trichabadas@barracuda.com


#8 NestorAcevedo

NestorAcevedo
  • Members
  • 20 posts

Posted 10 February 2016 - 11:26 AM

Nestor,

 

I just brought up a WAF (hourly, version 8.0.0007) on AWS to check this.

The configuration works as intended - i provided an internal ELB FQDN of the form:

 

internal-xxxxxxxxxxx-457486678.us-west-2.elb.amazonaws.com

 

in the hostname and it works fine.

 

I'll PM you the WAF details - IP and login info, so that you can take a look at the configuration.

 

-Tushar

Hello Tushar, I'm sorry but it is not true at all. In version 8.0.1 firmware it didn't accept the elb name for Elastic Beanstalk, for instance: awseb-e-b-AWSEBLoa-XXXXXXXXXXXXXX-XXXXXXXXXX.us-east-1.elb.amazonaws.com is EB ELB and it is not accepted due for limit name characters. In my case I put the EB endpoint URL, for instance mysite.elasticbeanstalk.com, in this way I could add the server by hostname. 

 

For ELB instanced manually your option will work fine if the name is not too long as Elastic Beanstalk ELB DNS name.



#9 Tushar Richabadas

Tushar Richabadas
  • Moderators
  • 42 posts

Posted 16 March 2016 - 01:20 AM

Hi Nestor,

 

We've removed the limitation of 64 char on the hostname now. It can be upto 255 characters from 8.1 onwards.

Once 8.1 GA is out, you can upgrade and use it with the longer ELB FQDN.

 

Thanks


Tushar Richabadas

Product Manager - WAF and ADC

trichabadas@barracuda.com


#10 Madison Quinn

Madison Quinn
  • Members
  • 2 posts

Posted 05 June 2017 - 07:12 AM

Hello,

 

I have taken a look at your ELB and it does show your instance as being unhealthy for a period of time.

 

I would encourage you to investigate your logs files on your backend instance or also enable access logs for your ELB.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/access-log-collection.html

 

A load balancer takes requests from clients and distributes them across the EC2 https://goo.gl/DgJjj9 instances that are registered with the load balancer.

 

You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. If the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.

 

Thanks.